LastPass Now Checks If Your Sites Are Affected by Heartbleed

Yesterday we informed our community of the Heartbleed OpenSSL bug. In our blog post, we explained how this security issue impacted our service and what our users should know about the situation. We also built a tool to help our users start checking to see if their sites and services had reissued their certificates, so that users would know if it was safe to start updating passwords for those sites: https://lastpass.com/heartbleed

To help our users take action and protect themselves in the wake of Heartbleed, we’ve added a feature to our Security Check tool. LastPass users can now run the LastPass Security Check to automatically see if any of their stored sites and services were 1) Affected by Heartbleed, and 2) Should update their passwords for those accounts at this time.

The LastPass Security Check can be run from the LastPass Icon menu. Click the LastPass icon in the browser toolbar, click the Tools menu, and select the Security Check.

In the Security Check results, we alert you to sites affected by Heartbleed.

We will continue to update the Security Check recommendations based on which sites we have seen take action and where it is safe to update your passwords. We’ll monitor the situation in general and keep our community posted.

Many users are still concerned about what the Heartbleed situation means for their LastPass master passwords. To further clarify, we do not see a need at this time for existing LastPass users to update their master passwords. That said, if you would prefer to, there is no harm in doing so. We continue to update our LastPass Security Check tool to provide you the latest information regarding potentially-impacted sites. Thanks to our community for the feedback and input.

237 Comments

Real estate agents are incredible demographic for some neighborhood entrepreneurs to market to. Whether you are a development organization, handyman, home controller, house cleaner, or a business offering different merchandise and administrations, you can make thousands more for every month by advertising your administrations utilizing a broker database. These databases might be focused to meet certain criteria, and can help you advertise your administrations in a financially savvy manner

My Last Pass Security Challenge shows 24 sites of which 4 tell me to Go Update but of those 4 I only recognise Yahoo. The other 20 all tell me to WAIT but I have never heard of them either except my free Avast anti-virus which tells me to WAIT but I don’t remember needing a password for them (or I would have recorded it in a secret place I kept all my passwords till now). It certainly contunures to renew my registration each year withour requesting my password.

Please explain what the heck I do with all the strange sounding ones that tell me to update my password!

When your checker states «Apache/2.2.25 (FreeBSD) PHP/5.2.17 with Suhosin-Patch mod_ssl/2.2.25 OpenSSL/1.0.1e DAV/2» in the «Server software» row, what exactly does it mean? Is it patched and safe or the patch is not related to OpenSSL and a website is unsafe? Thanks.

They reference the tool by Filippo Valsorda at https://filippo.io/Heartbleed/ andLastPass Heartbleed checker at https://lastpass.com/heartbleed/ ashaving “Failed to Detect” when ran against the proof of concept server they setup. Initially only their script and SSL Labs passed out or 15 tools tested.Since then 4 more as of 18 Apr 2014 have fixed their scripts.

Disclaimer : There have been unconfirmed reports that this script can crash certain servers. This script complies with the TLS specification, so any crashes are the result of a bad implementation of TLS on the server side. CNS Hut3 and Adrian Hayter do not accept responsibility if this script crashes a server you test it against. USE IT AT YOUR OWN RISK. As always, the correct way to test for the vulnerability is to check the version of OpenSSL installed on the server in question. OpenSSL 1.0.1 through 1.0.1f are vulnerable.”

The Age of Password field is not correct – it assumes a password is only as old as when it was imported (even if that password is marked as Never touched in LastPass). This means if you import passwords from another password manager AFTER the Heartbleed bug (like I did), almost all your passwords are marked as good.

When I ran your security test, one of the sites shown as vulnerable is Cabelas.com. I just got off online chat with them, they got pretty frosty, said that they’d applied “patches.” I got just as frosty back at them, saying yes, yes, patches are great — but have you updated your certificate? More frost. Going on about how cabelas is safe safe safe, no worries here, your acct info is perfectly safe iin our hands.

Can you tell me — are they just trying to blow smoke up my butt, hoping I’ll just go away?

I trust your organization pretty much totally. I’d just delete my acct from my LastPass vault but that would still leave all my data sitting somewhere on a (possibly) compromised server. I want them to just delete it, lock stock barrel; I’ll sign up again when the get squared away.

If time ever permits, resort the list in A-Z order??Or three columns with lists in each column: wait, update now, etc.Thank you, Tom

Search

What is LastPass?

LastPass simplifies your online life by remembering your passwords for you. With LastPass to manage your logins, it's easy to have a strong, unique password for every online account and improve your online security. Get started today - it's free.

Subscribe

Archives

Translation

What is LastPass?

LastPass simplifies your online life by remembering your passwords for you. With LastPass to manage your logins, it's easy to have a strong, unique password for every online account and improve your online security. Get started today - it's free.